1. Administering Oracle Identity Cloud Service
  2. Configure Security Settings
  3. Configure Delegated Authentication in Oracle Identity Cloud Service
  4. Understand Delegated Authentication

Understand Delegated Authentication

With delegated authentication, identity domain administrators and security administrators don’t have to synchronize user passwords between an on-premises Microsoft Active Directory (AD) enterprise directory structure and Oracle Identity Cloud Service. Users can use their AD passwords to sign in to Oracle Identity Cloud Service to access resources and applications protected by Oracle Identity Cloud Service.

Prerequisite

Enabling Delegated Authentication. This is Standard License feature. To learn about these features, see Standard License Tier Features for Oracle Identity Cloud Service.

Suppose you have an AD domain that contains user accounts that you want to import into Oracle Identity Cloud Service. To transfer these accounts, install and configure an AD Bridge for this domain. The AD Bridge provides a link between the domain and Oracle Identity Cloud Service. Oracle Identity Cloud Service can synchronize with this domain so that any new, updated, or deleted user records are transferred into Oracle Identity Cloud Service. Because of this, the state of each record is synchronized between AD and Oracle Identity Cloud Service. See Manage Microsoft Active Directory (AD) Bridges for Oracle Identity Cloud Service for more information about installing and configuring AD Bridges in Oracle Identity Cloud Service.

After using an AD Bridge to transfer user accounts from the AD domain into Oracle Identity Cloud Service, you want to configure Oracle Identity Cloud Service so that users from this domain must use their AD passwords to sign in to Oracle Identity Cloud Service. To do this, activate delegated authentication for the AD Bridge. However, first, you may want to verify that the AD credentials from a user in the domain can be used to sign in to Oracle Identity Cloud Service. This way, if there are any issues, then you can resolve them before activating delegated authentication.

After you activate delegated authentication in Oracle Identity Cloud Service, if you change or reset a password in Oracle Identity Cloud Service, then the password is stored directly in AD. The AD password policies are applicable for the new password. Password policies configured in Oracle Identity Cloud Service aren't applicable for this password. Oracle Identity Cloud Service doesn't maintain the password.

Statuses

Find here the three statuses of the Microsoft Active Directory (AD) Bridge.

There are three statuses for an AD Bridge that Oracle Identity Cloud Service uses to communicate with an AD domain to delegate responsibilities for authenticating users of that domain into Oracle Identity Cloud Service:

  • Connected: The AD Bridge is installed and configured, and can communicate with the domain.

  • No Clients Found: You installed or configured an AD Bridge without installing the client for the bridge. Click the Click here to download the client. link to download the client for the bridge.

  • Incompatible Client Found: You used an outdated version of the client to install or configure an AD Bridge. Click the Click here to download the client. link to download the updated client for the bridge.